In this time of heightened security concerns, most employers have sternly warned employees not to use passwords like “password,” but that doesn’t mean companies are making significant headway in eliminating the problem of weak passwords that compromise an organization’s security.
The LastPass 2018 Global Password Security Report reports the average password security score of more than 43,000 businesses is 52%, a “fair” score that still shows a need for more effective policies and training. The analysis was made by looking at various factors such as the number of weak passwords and the strength of shared passwords (workers share an average of six passwords with their colleagues).
Password security is often top-of-mind for companies, and it’s predicted that the most popular passwords that use a string of numbers, letters, and special characters will become extinct in the next several years because they make systems too vulnerable. Instead, biometrics and facial recognition will become more popular – although they are currently not without glitches such as failing to recognize the user with a different hairstyle.
Companies are obviously concerned about password security: 45% of them now use multi-factor authentication, compared to just 25% of businesses last year, the report finds. For example, Deakin University in Australia tries to make multi-authentication simple for users by asking them to use two different pieces of information to prove their identity. Users might be asked about something they have, something they are or something they know.
However, since passwords will continue to be used by many businesses and remain vulnerable to hackers, there are ways to boost security for those still using them. Experts suggest that organizations:
- Avoid the obvious. Anyone who has watched the 1980s movie “WarGames” knows that a teenager was able to figure out a password simply by guessing it was a child’s name. The same strategy can be used today by hackers – pet’s names, children’s names, spouse’s names, etc. are easy to guess and should not be used, as well as common things such as a birthdate. Employees should use a password manager to help them maintain complex passwords, or write them down – without their usernames – and store them securely away from the device.
- Forget frequent changes. Some organizations require workers to swap out passwords every 30 to 90 days, but such a practice may actually do more harm than good. While changing a password is a no-brainer if a company is hacked, requiring workers to make frequent changes for no reason means they are likely to choose only slight variations of a password – or an easy one – to reduce the hassle of the password change. Instead, companies need to require changes only when necessary, and advise workers to use completely different passwords.
- Monitor unusual activity. The National Cyber Security Centre recommends that any remote password logins be watched and users locked out if they can’t access the system after 10 failed attempts.
Research shows that nearly half of organizations can’t maintain password security, underscoring the pressing need for companies to do all they can to protect valuable assets that are constantly being targeted by criminals.